CVE-2026-32589
Published: 08 April 2026
Summary
CVE-2026-32589 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Redhat Mirror Registry For Red Hat Openshift. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-4 (Information in Shared System Resources).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing authenticated users from interfering with image uploads in unauthorized repositories.
Prevents unauthorized information transfer via shared system resources exploited during concurrent container image uploads across the registry.
Limits push privileges to least functionality required for specific repositories, reducing the attack surface for cross-repository upload interference.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass enables direct tampering with in-progress container image uploads (transmitted data manipulation) and supply-chain compromise via registry image integrity attacks.
NVD Description
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do…
more
not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Deeper analysisAI
CVE-2026-32589 is a vulnerability in Red Hat Quay's container image upload process, classified under CWE-639 (Authorization Bypass Through User-Controlled Key). It enables interference with concurrent image uploads across the registry. The issue was published on 2026-04-08 and carries a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low complexity, and scope change.
An authenticated attacker with push access to any repository on the Red Hat Quay registry can exploit this flaw to target in-progress image uploads by other users, including those in repositories to which the attacker lacks access. Successful exploitation allows the attacker to read, modify, or cancel these uploads, potentially disrupting operations or compromising image integrity.
Mitigation details and patches are documented in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-32589 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2446963. Security practitioners should consult these resources for version-specific remediation guidance.
Details
- CWE(s)